22e95d94cde98b6673e7dcc4f12ca51ee5961fad6919f1de79518b9cf923318a

Analysis

max time kernel
1s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d548186754e1ce8d7ecd747f8e96178.exe
Size

420KB
MD5

2d548186754e1ce8d7ecd747f8e96178
SHA1

2c401f50dc34d082325c8fd0602d1867b652f54b
SHA256

22e95d94cde98b6673e7dcc4f12ca51ee5961fad6919f1de79518b9cf923318a
SHA512

fe4cfbe8f1a00f6c5fe26af9b3583b5f49fc7ddc18f875f6671bdad4a42b989c9c1d9aae3a23c9a7fbcbfb6c4c254ae2a8f6ca4d72601442718373d58d9c7681
SSDEEP

6144:YsxFXHvGfKfr5oe4bcy3bbkooLrU7IN5JhVeMlhK8QcP9qAta2KJz0WPZIGE3dIF:RF3ufKfQdFQU7IN5Jh84d4ATWmGEWF

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
5396	2d548186754e1ce8d7ecd747f8e96178.exe
5396	2d548186754e1ce8d7ecd747f8e96178.exe
5396	2d548186754e1ce8d7ecd747f8e96178.exe
5396	2d548186754e1ce8d7ecd747f8e96178.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5548	WMIC.exe
Token: SeSecurityPrivilege	5548	WMIC.exe
Token: SeTakeOwnershipPrivilege	5548	WMIC.exe
Token: SeLoadDriverPrivilege	5548	WMIC.exe
Token: SeSystemProfilePrivilege	5548	WMIC.exe
Token: SeSystemtimePrivilege	5548	WMIC.exe
Token: SeProfSingleProcessPrivilege	5548	WMIC.exe
Token: SeIncBasePriorityPrivilege	5548	WMIC.exe
Token: SeCreatePagefilePrivilege	5548	WMIC.exe
Token: SeBackupPrivilege	5548	WMIC.exe
Token: SeRestorePrivilege	5548	WMIC.exe
Token: SeShutdownPrivilege	5548	WMIC.exe
Token: SeDebugPrivilege	5548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5548	WMIC.exe
Token: SeRemoteShutdownPrivilege	5548	WMIC.exe
Token: SeUndockPrivilege	5548	WMIC.exe
Token: SeManageVolumePrivilege	5548	WMIC.exe
Token: 33	5548	WMIC.exe
Token: 34	5548	WMIC.exe
Token: 35	5548	WMIC.exe
Token: 36	5548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5548	WMIC.exe
Token: SeSecurityPrivilege	5548	WMIC.exe
Token: SeTakeOwnershipPrivilege	5548	WMIC.exe
Token: SeLoadDriverPrivilege	5548	WMIC.exe
Token: SeSystemProfilePrivilege	5548	WMIC.exe
Token: SeSystemtimePrivilege	5548	WMIC.exe
Token: SeProfSingleProcessPrivilege	5548	WMIC.exe
Token: SeIncBasePriorityPrivilege	5548	WMIC.exe
Token: SeCreatePagefilePrivilege	5548	WMIC.exe
Token: SeBackupPrivilege	5548	WMIC.exe
Token: SeRestorePrivilege	5548	WMIC.exe
Token: SeShutdownPrivilege	5548	WMIC.exe
Token: SeDebugPrivilege	5548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5548	WMIC.exe
Token: SeRemoteShutdownPrivilege	5548	WMIC.exe
Token: SeUndockPrivilege	5548	WMIC.exe
Token: SeManageVolumePrivilege	5548	WMIC.exe
Token: 33	5548	WMIC.exe
Token: 34	5548	WMIC.exe
Token: 35	5548	WMIC.exe
Token: 36	5548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6076	WMIC.exe
Token: SeSecurityPrivilege	6076	WMIC.exe
Token: SeTakeOwnershipPrivilege	6076	WMIC.exe
Token: SeLoadDriverPrivilege	6076	WMIC.exe
Token: SeSystemProfilePrivilege	6076	WMIC.exe
Token: SeSystemtimePrivilege	6076	WMIC.exe
Token: SeProfSingleProcessPrivilege	6076	WMIC.exe
Token: SeIncBasePriorityPrivilege	6076	WMIC.exe
Token: SeCreatePagefilePrivilege	6076	WMIC.exe
Token: SeBackupPrivilege	6076	WMIC.exe
Token: SeRestorePrivilege	6076	WMIC.exe
Token: SeShutdownPrivilege	6076	WMIC.exe
Token: SeDebugPrivilege	6076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6076	WMIC.exe
Token: SeRemoteShutdownPrivilege	6076	WMIC.exe
Token: SeUndockPrivilege	6076	WMIC.exe
Token: SeManageVolumePrivilege	6076	WMIC.exe
Token: 33	6076	WMIC.exe
Token: 34	6076	WMIC.exe
Token: 35	6076	WMIC.exe
Token: 36	6076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6076	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5396 wrote to memory of 5548	5396	2d548186754e1ce8d7ecd747f8e96178.exe	27
PID 5396 wrote to memory of 5548	5396	2d548186754e1ce8d7ecd747f8e96178.exe	27
PID 5396 wrote to memory of 5548	5396	2d548186754e1ce8d7ecd747f8e96178.exe	27
PID 5396 wrote to memory of 6076	5396	2d548186754e1ce8d7ecd747f8e96178.exe	29
PID 5396 wrote to memory of 6076	5396	2d548186754e1ce8d7ecd747f8e96178.exe	29
PID 5396 wrote to memory of 6076	5396	2d548186754e1ce8d7ecd747f8e96178.exe	29
PID 5396 wrote to memory of 5372	5396	2d548186754e1ce8d7ecd747f8e96178.exe	31
PID 5396 wrote to memory of 5372	5396	2d548186754e1ce8d7ecd747f8e96178.exe	31
PID 5396 wrote to memory of 5372	5396	2d548186754e1ce8d7ecd747f8e96178.exe	31
PID 5396 wrote to memory of 5620	5396	2d548186754e1ce8d7ecd747f8e96178.exe	35
PID 5396 wrote to memory of 5620	5396	2d548186754e1ce8d7ecd747f8e96178.exe	35
PID 5396 wrote to memory of 5620	5396	2d548186754e1ce8d7ecd747f8e96178.exe	35

C:\Users\Admin\AppData\Local\Temp\2d548186754e1ce8d7ecd747f8e96178.exe
"C:\Users\Admin\AppData\Local\Temp\2d548186754e1ce8d7ecd747f8e96178.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5396
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5548
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6076
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC bios Get Version /FORMAT:textvaluelist.xsl
  2⤵
  PID:5372
- C:\Users\Admin\AppData\Local\Temp\nsg3DC6.tmp\7za.exe
  7za.exe e -y -p"bbcd33733ea131bba3f0ebbb12cbfa9b" [RANDOM_STRING].7z
  2⤵
  PID:1616
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  WMIC csproduct Get Name /FORMAT:textvaluelist.xsl
  2⤵
  PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg3DC6.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit